ForgeRock Identity Platform 7.5

User self-service overview

User self-service lets users create and manage their own accounts, while you control the available features. You manage features and user journeys through the Identity Platform admin UI. Because this service uses both AM and IDM to work, it requires the platform to function.

It is possible to configure authentication journeys through the AM admin UI, where they are called trees; however, this documentation uses the Identity Platform admin UI:

  • The Identity Platform admin UI can duplicate an existing tree, making it easier to experiment with new flows without changing the behavior of the current tree.

  • Some tree-level configuration is not available from the AM admin UI, such as setting the IDM object type you are interacting with, stored in the identityResource property in your tree object. This defaults to managed/user. To work with a different managed object, such as managed/devices, set it either through the REST API, or through the Identity Platform admin UI.

  • User self-service journeys use many Identity Management nodes. When adding scripts to journeys, you reference properties from Identity Management nodes differently than from AM attributes. Refer to Scripting tips for more information.

Before continuing, make sure you have successfully configured the platform. There are several methods you can use to set up the platform:

  • Configure and set up the platform using Kubernetes.

    For more information about setting up the ForgeRock Identity Platform with Kubernetes, refer to the ForgeOps documentation.

  • Alternatively, manually configure the platform integration between AM and IDM.

    For details, refer to the sample platform setup pages.

This documentation references sample authentication trees that demonstrate various features of self-service. Depending on your configuration method, these trees may already be included. If they aren’t already present, or you deleted the trees and want to re-create them, find the sample trees in sample-trees-7.5.0.zip included with AM. For more information about adding these trees to the platform, refer to Configure authentication trees.

This documentation focuses on the platform implementation of user self-service. ForgeRock recommends this implementation for new deployments.

To use the IDM-specific or AM-specific implementations, refer to the instructions in the IDM self-service reference and the AM user self-service documentation.

Nodes for self-service journeys

Incompatible nodes

Since user self-service is built using authentication journeys, nearly any authentication node can be used in your self-service flow. The following nodes are not compatible with platform-based self-service, however:

OAuth 2.0 node

Social Facebook node

Social Google node

Social Ignore Profile node

OpenID Connect node

Provision IDM Account node

Create Password node

Password Collector node

Username Collector node

If you are using a third-party node from the ForgeRock Marketplace, check with the developer for compatibility.

Sample journeys include the following:

Registration

The sample Registration journey describes a basic registration flow, where ForgeRock Identity Platform prompts the user to provide several profile attributes, then attempts to create the user and log the user in. You can find this journey in AM samples in root/AuthTree/PlatformRegistration.json. For details, refer to User self-registration. For more information about configuring registration to include social identity providers, refer to Social authentication.

Login

The sample Login journey describes a basic login flow, where the user is prompted to provide a username and password, then passed to a progressive profile journey before being logged in. You can find this journey in AM samples in root/AuthTree/PlatformLogin.json. For details, refer to Login with self-service. For more information about including social identity providers in a login journey, refer to Social authentication.

Progressive Profiles

The sample Progressive Profile journey is called by the Login journey sample. It checks the login count to check whether further action is needed. If no action is required, it returns to the Login journey to complete logging in. If the specified number of logins is reached, it instead checks whether user preferences have been set, and if not, prompts the user to set those preferences. It then returns to the Login journey to finish logging in. You can find this journey in AM samples in root/AuthTree/PlatformProgressiveProfile.json. For more information about using progressive profiling, refer to Progressive profile.

Password Reset

The Password Reset sample journey provides a method for users to reset their password by providing their email and answering some security questions. If the questions are answered correctly, the user is emailed a password reset link, which they must click to proceed. They are then presented with a password prompt to enter a new password. You can find this journey in AM samples in root/AuthTree/PlatformResetPassword.json. For more information, refer to Password reset.

Forgotten Username

The Forgotten Username sample journey gives users a method to recover their username by entering an email address. If the email address is associated with a user account, the account’s username will be emailed to the user. The email includes a link to log in, which will take the user through the Login journey. You can find this journey in AM samples in root/AuthTree/PlatformForgottenUsername.json. For more information, refer to Username recovery.

Update Password

The Update Password sample journey lets users change their passwords. The journey assumes that the user has already logged in successfully. It checks the user’s session data and, if the session is valid, prompts the user to update their password. You can find this journey in AM samples in root/AuthTree/PlatformUpdatePassword.json. For more information, refer to Password updates.